Hi Asier,
> Networking & firewall are not my strong points, so perhaps this could
> sound a silly question.
There are only silly answers...
> I've five linux VServers, each with it's own _real_ IP address (not
> 192.168.x.y, 10.x, etc). Each one has it's own services but I'd like to
> close access from outside to some ports, but allow full communication
> between the guests. The guests have valid IP addresses so I think
> [DS]NAT is not needed.
Communication between the guests never crosses the iptables rules, so
you can safely use the toolset of your distro to block the ports from
outside. If you want to do it by hand, there are a lot of rulebuilder
outside, but for simply blocking ports this should be sufficient:
iptables -I INPUT -p tcp --dport 3306 -j DROP
Will drop all connections to mysql from outside. If you prefer a
whitelist approach you can deny all incoming trafic by policy and only
drill holes into the Firewall where needed - but this is a bit of magic
as you can really riun your day if you lock yourself out of the box :)
Oliver
-- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72
_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver